How to Close Ports

janderson622 · 03-27-2001, 09:09 AM

Hi all,

I'm new to this list, so I hope this hasn't been asked before. I friend of mine (a java developer) wrote a little TCP Port scanning tool for me and it's showing some open ports and I was wondering if you could point me in the right direction to get them closed.

I've got 2 different servers I'm working on, one is Red Hat 6.2 and the other is Red Hat 7.

Here are the TCP ports:

111
113
513
514
515

Also, Port 53 is open on TCP for DNS, but I do not do any zone transfers, cna (and how) do I shut that port down.

Thanks in advance,

--John

Mike_the_Man · 03-29-2001, 08:43 PM

You can try going into your inetd.conf and commenting out the services that pertain to that port. See if that works. I had the same problem and that is how I solved it.

Mike

trickykid · 03-30-2001, 07:40 AM

Remember though, RH 7 doesn't have inetd anymore, its xinetd.

Mike_the_Man · 03-30-2001, 02:32 PM

Thats right, you can try commenting it out in /etc/services, right?

Copenhagen Cowboy · 03-30-2001, 03:07 PM

Yes, you can comment it out there.

janderson622 · 04-02-2001, 10:00 AM

Hi - That's the sneaky thing about this, 111 is commented out in the /etc/services, but that port is still accepting connections.

Any thoughts?

--John

jeremy · 04-02-2001, 03:23 PM

Port 111 is for portmapper (which is used for NFS). If you kill portmapper it will close the port.

janderson622 · 04-05-2001, 08:01 AM

Thanks jeremy, that did it.

--John

tommytomato · 11-26-2003, 11:30 PM

Hi guys i'm working on the same thing.

I've used the command nmap myIP

and my result is

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-27 00:28 WST
Interesting ports on 10.x.x.x:
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https

Nmap run completed -- 1 IP address (1 host up) scanned in 8.013 seconds

now to close a port you stay comment out the ones you want right ?

sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

Is it both of them? like so

#sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
#sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

tommytomato

unSpawn · 11-27-2003, 09:28 AM

Is it both of them? like so

#sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
#sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

Yes, that's how you comment out stuff, but what file are you editing?
I hope it's not /etc/services...

Bebo · 11-27-2003, 10:10 AM

It won't help to just comment out lines in /etc/services when you want to close ports. Shut down the daemons listening; for some distros you can list the running services with chkconfig --list, and then shut down the unwanted services with some other chkconfig option(s); see the man page. And then set up iptables using your favourite editor or quicktables or shorewall or whatever other frontend.

iceman47 · 11-27-2003, 02:22 PM

tommytomato:
If you don't need the running services at all do this:
look for the symlinks to the scripts in /etc/rcX.d (where X is the runlevel number) and delete them.
Then stop them:
/sbin/service <nameservice> stop (for RH compatible I believe)
/etc/init.d/<nameservice> stop (the rest?)

Maybe they get started through xinetd, in that case you should search for them in
/etc/xinetd.d , edit the script and set disable yes.
Then restart xinetd: /sbin/service xinetd restart (for RH compatible) or just /etc/init.d/xinetd.d restart (the rest?)

tommytomato · 11-27-2003, 07:44 PM

Thanks guys,

what i'm trying to do is make my server as sercue as possible.

I have my server hooked up to a ADSL unit and port 80 is the only one open.

so it should be safe.

but when i run nmap localhost

i get this

[root@www root]# nmap localhost

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-27 20:27 WST
Interesting ports on www.rockinghamgateway.com (127.0.0.1):
(The 1647 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
443/tcp open https
631/tcp open ipp
783/tcp open hp-alarm-mgr
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt

Nmap run completed -- 1 IP address (1 host up) scanned in 2.751 seconds

and then if i run the IP eth0 #nmap 10.1.1.9

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-11-27 20:34 WST
Interesting ports on 10.1.1.9:
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp <---- IS FTP
22/tcp open ssh <----sshd
80/tcp open http <-----Apache webserver
111/tcp open rpcbind <-----I think its portmapper
443/tcp open https <---sercue webserver
3306/tcp open mysql <---- is mysqld
10000/tcp open snet-sensor-mgmt <--- is this webmin ???

Nmap run completed -- 1 IP address (1 host up) scanned in 23.011 seconds

Iceman47 ,so your saying to do it like this ?

Then stop them:
/sbin/service <rpcbind> stop (for RH compatible I believe)
/etc/init.d/<rpcbind> stop (the rest?)

My OS is Fedora Core 1 running just a shell no GUI, i have startx working
and most of my setup is done..apart from blocking ports

I am at a lost to this...the main ones i would be looking to block is port 111,783,631....

As i am a new user i dont know alot about it!
can any one explanie this in simple terms. as in do i need to block or dont I need to block any ?

tommytomato

iceman47 · 11-27-2003, 08:38 PM

Quote:

Originally posted by tommytomato
"10000/tcp open snet-sensor-mgmt <--- is this webmin ???"

Yes

Quote:

Iceman47 ,so your saying to do it like this ?

Then stop them:
/sbin/service <rpcbind> stop (for RH compatible I believe)
/etc/init.d/<rpcbind> stop (the rest?)

If you want to stop rpcbind do /sbin/service portmap stop.
But that won't survive a reboot, so you have 2 options:
* remove the actual script (<-not that smart in case you do need it at a later date)
* remove the symlink to the script.

A symlink is a symbolic link to a file, like a shortcut in windoze.
You'll find those symlinks in the runlevel folders (/etc/rc0.d -> /etc/rc6.d)
So if you want to disable portmap (rpcbind) remove all the symlinks ending with
portmap in /etc/rc0.d through /etc/rc6.d.
Reboot and you'll notice portmapper (rpcbind) won't run anymore

repeat for everything you want to see disabled

Others get started from xinetd like I said before, but I think that explenation
was clear.

What you want to disable is up to you, just disable services you don't need.

tommytomato · 11-27-2003, 10:07 PM

thank you,
i'll work though it.

I do have a prob i think

my site wont show, if i switch to the XP IIS it works, but if i switch back to the linux webserver, we get page cant be found.

do my per look ok..
?

[root@www root]# ls -al /var/www/html
total 84
drwxrwxr-x 5 root gateway 4096 Nov 27 09:22 .
drwxr-xr-x 7 root root 4096 Nov 27 03:11 ..
drwxr-xr-x 11 tommytomato tommytomato 4096 Nov 27 09:24 community
-rw-r--r-- 1 tommytomato tommytomato 2494 Nov 27 08:24 favicon.ico
drwxr-xr-x 3 tommytomato tommytomato 4096 Nov 27 08:24 images
-rw-r--r-- 1 tommytomato tommytomato 7575 Nov 27 08:24 index_behind.php
-rw-r--r-- 1 tommytomato tommytomato 8040 Nov 27 08:24 index.php
-rw-r--r-- 1 tommytomato tommytomato 30737 Nov 27 08:24 mm_menu.js
-rw-r--r-- 1 tommytomato tommytomato 8362 Nov 27 09:07 notes.txt
drwxrwxr-x 2 root gateway 4096 Nov 27 09:52 usage
[root@www root]#

I wondering if i have to add index.php in using webmin, i think it's only got index.html

tommytomato